FIXUP: Make tests work after 'podman load -i'

1. Create a multi-architecture container image for Dangerzone, instead
   of having two different tarballs (or no option at all)
2. Build the Dangerzone container image on our supported architectures
   (linux/amd64 and linux/arm64). It so happens that GitHub also offers
   ARM machine runners, which speeds up the build.
3. Combine the images from these two architectures into one, multi-arch
   image.
4. Generate provenance info for each manifest, and the root manifest
   list.
5. Check the image's reproduciblity.

Also, remove an older CI action, that is now obsolete.

Fixes #1035

.github/workflows/ci.yml

@@ -125,9 +125,9 @@ jobs:
         with:
           dotnet-version: "8.x"
       - name: Install WiX Toolset
-        run: dotnet tool install --global wix
+        run: dotnet tool install --global wix --version 5.0.2
       - name: Add WiX UI extension
-        run: wix extension add --global WixToolset.UI.wixext
+        run: wix extension add --global WixToolset.UI.wixext/5.0.2
       - name: Build the MSI installer
         # NOTE: This also builds the .exe internally.
         run: poetry run .\install\windows\build-app.bat

.github/workflows/scan.yml

@@ -10,7 +10,12 @@ on:
 
 jobs:
   security-scan-container:
-    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        runs-on:
+          - ubuntu-24.04
+          - ubuntu-24.04-arm
+    runs-on: ${{ matrix.runs-on }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -51,7 +56,12 @@ jobs:
           severity-cutoff: critical
 
   security-scan-app:
-    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        runs-on:
+          - ubuntu-24.04
+          - ubuntu-24.04-arm
+    runs-on: ${{ matrix.runs-on }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4

.github/workflows/scan_released.yml

@@ -9,11 +9,10 @@ jobs:
     strategy:
       matrix:
         include:
-          - runs-on: ubuntu-latest
+          - runs-on: ubuntu-24.04
             arch: i686
-          # Do not scan Silicon mac for now to avoid masking release scan results for other plaforms.
+          - runs-on: ubuntu-24.04-arm
-          # - runs-on: macos-latest
+            arch: arm64
-          #   arch: arm64
     runs-on: ${{ matrix.runs-on }}
     steps:
       - name: Checkout
@@ -55,7 +54,12 @@ jobs:
           severity-cutoff: critical
 
   security-scan-app:
-    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        runs-on:
+          - ubuntu-24.04
+          - ubuntu-24.04-arm
+    runs-on: ${{ matrix.runs-on }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4

.well-known/funding-manifest-urls

@@ -0,0 +1 @@
+https://dangerzone.rocks/assets/json/funding.json

BUILD.md

@@ -478,13 +478,13 @@ poetry shell
 Install [.NET SDK](https://dotnet.microsoft.com/en-us/download) version 6 or later. Then, open a terminal and install the latest version of [WiX Toolset .NET tool](https://wixtoolset.org/) **v5** with:
 
 ```sh
-dotnet tool install --global wix --version 5.*
+dotnet tool install --global wix --version 5.0.2
 ```
 
 Install the WiX UI extension. You may need to open a new terminal in order to use the newly installed `wix` .NET tool:
 
 ```sh
-wix extension add --global WixToolset.UI.wixext/5.x.y
+wix extension add --global WixToolset.UI.wixext/5.0.2
 ```
 
 > [!IMPORTANT]

Dockerfile

@@ -185,7 +185,7 @@ RUN mkdir -p \
 # Copy the /etc and /var directories under the new root directory. Also,
 # copy /etc/, /opt, and /usr to the Dangerzone image rootfs.
 #
-# XXX: We also have to remove the resolv.conf file, in order to not leak any DNS
+# NOTE: We also have to remove the resolv.conf file, in order to not leak any DNS
 # servers added there during image build time.
 RUN cp -r /etc /var /new_root/ \
     && rm /new_root/etc/resolv.conf

Dockerfile.in

@@ -185,8 +185,8 @@ RUN mkdir -p \
 # Copy the /etc and /var directories under the new root directory. Also,
 # copy /etc/, /opt, and /usr to the Dangerzone image rootfs.
 #
-# XXX: We also have to remove the resolv.conf file, in order to not leak any DNS
+# NOTE: We also have to remove the resolv.conf file, in order to not leak any
-# servers added there during image build time.
+# DNS servers added there during image build time.
 RUN cp -r /etc /var /new_root/ \
     && rm /new_root/etc/resolv.conf
 RUN cp -r /etc /opt /usr /new_root/home/dangerzone/dangerzone-image/rootfs \

RELEASE.md

@@ -10,6 +10,7 @@ Here is a list of tasks that should be done before issuing the release:
       You can generate its content with the the `poetry run ./dev_scripts/generate-release-tasks.py` command.
 - [ ] [Add new Linux platforms and remove obsolete ones](https://github.com/freedomofpress/dangerzone/blob/main/RELEASE.md#add-new-linux-platforms-and-remove-obsolete-ones)
 - [ ] Bump the Python dependencies using `poetry lock`
+- [ ] Check for new [WiX releases](https://github.com/wixtoolset/wix/releases) and update it if needed
 - [ ] Update `version` in `pyproject.toml`
 - [ ] Update `share/version.txt`
 - [ ] Update the "Version" field in `install/linux/dangerzone.spec`

tests/isolation_provider/test_container.py

@@ -8,6 +8,7 @@ from pytest_subprocess import FakeProcess
 from dangerzone import container_utils, errors
 from dangerzone.isolation_provider.container import Container
 from dangerzone.isolation_provider.qubes import is_qubes_native_conversion
+from dangerzone.util import get_resource_path
 
 from .base import IsolationProviderTermination, IsolationProviderTest
 
@@ -47,7 +48,7 @@ class TestContainer(IsolationProviderTest):
         provider.is_available()
 
     def test_install_raise_if_image_cant_be_installed(
-        self, mocker: MockerFixture, provider: Container, fp: FakeProcess
+        self, provider: Container, fp: FakeProcess
     ) -> None:
         """When an image installation fails, an exception should be raised"""
 
@@ -68,11 +69,13 @@ class TestContainer(IsolationProviderTest):
             occurrences=2,
         )
 
-        # Make podman load fail
-        mocker.patch("builtins.open", mocker.mock_open(read_data=""))
-
         fp.register_subprocess(
-            [container_utils.get_runtime(), "load"],
+            [
+                container_utils.get_runtime(),
+                "load",
+                "-i",
+                get_resource_path("container.tar"),
+            ],
             returncode=-1,
         )
 
@@ -80,7 +83,7 @@ class TestContainer(IsolationProviderTest):
             provider.install()
 
     def test_install_raises_if_still_not_installed(
-        self, mocker: MockerFixture, provider: Container, fp: FakeProcess
+        self, provider: Container, fp: FakeProcess
     ) -> None:
         """When an image keep being not installed, it should return False"""
         fp.register_subprocess(
@@ -105,10 +108,13 @@ class TestContainer(IsolationProviderTest):
             occurrences=2,
         )
 
-        # Patch open and podman load so that it works
-        mocker.patch("builtins.open", mocker.mock_open(read_data=""))
         fp.register_subprocess(
-            [container_utils.get_runtime(), "load"],
+            [
+                container_utils.get_runtime(),
+                "load",
+                "-i",
+                get_resource_path("container.tar"),
+            ],
         )
         with pytest.raises(errors.ImageNotPresentException):
             provider.install()
@@ -195,7 +201,7 @@ class TestContainer(IsolationProviderTest):
         reason="Linux specific",
     )
     def test_linux_skips_desktop_version_check_returns_true(
-        self, mocker: MockerFixture, provider: Container
+        self, provider: Container
     ) -> None:
         assert (True, "") == provider.check_docker_desktop_version()